Cyber Network Defense

Vulnerability Assessment & Penetration Testing (VAPT)

Vulnerability Assessment & Penetration testing (VAPT) is the process of identifying security gaps in your IT infrastructure by mimicking real world attacks. Think about it as quality assurance for your IT security. By exploiting security vulnerabilities, penetration testing helps you determine how to best mitigate and protect your vital business data from future cyber-security attacks.

What Does Penetration Testing Mean to a Business?

A penetration test is a crucial component to network security. Through these tests a business can identify:

Security vulnerabilities before a hacker does

Gaps in information security compliance

The response time of their information security team, i.e. how long it takes the team to realize that there is a breach and mitigate the impact

The potential real-world effect of a data breach or cybersecurity attack

Actionable remediation guidance

Types of Services

Black-Box Testing

Zero knowledge of the target IT Infrastructure

Testing as an attacker

White-Box Testing

Full knowledge of the target IT Infrastructure

Testing as a developer

Grey-Box Testing

Combination of both White and Black box testing methods

Some knowledge of the target IT Infrastructure

Testing as a user with access to some data

Web Security Assessments

Your website is the public face of the organization among your customers, suppliers and potential investors. Web application attacks, launched on port 80/443, go straight through the firewall, past the operating system and network level security, and right into the heart of your application and corporate data. Tailor-made web applications are often insufficiently tested, have undiscovered vulnerabilities and are therefore easy prey for hackers.

CICRA can conduct this scan externally and provide you a detailed report on the possible vulnerabilities and how to remediate them. With years of Information Security experience, CICRA will conduct this scan using state of the art scanning methodologies to uncover vulnerabilities inside your website.

Mobile Security Assessment

Mobile application security testing can help ensure there aren’t any loopholes in the software that may cause data loss. The sets of tests are meant to attack the app to identify possible threats and vulnerabilities that would allow external persons or systems to access private information stored on the mobile device.

SAST – Static Application Security Testing

SAST analyzes application source code, byte code and binaries for coding and design conditions that are indicative of security vulnerabilities. SAST solutions analyze an application from the “inside out” in a nonrunning state.

DAST – Dynamic Application Security Testing

DAST are designed to detect conditions indicative of a security vulnerability in an application in its running state. it is performed without a view into the internal source code or application

architecture the same techniques that an attacker would use to ﬁnd potential weaknesses

An API is a set of programming syntax that enables data transmission between one software product
and another. It also contains the terms of this data exchange. Basically, an API specifies how software
components should interact.

Why APIs

APIs drive almost all kinds of applications ‐ including web, mobile, IoT and many others. The API layer is
the visible backbone of any application. it’s where all the data and requests get processed. As a result of
that, the API layer exposes a very large surface area for attacks ‐ as evident in the latest hacks against
Google+ and Facebook. Hackers are now targeting API‐specific vulnerabilities, specifically around data
access controls including Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).
This has allowed hackers to retrieve resources that they should not have been able to access.

Assessment Methodology

APISec ™ ‐ Enterprise‐Class API Security Platform

APISec delivers instant and continuous API security coverage and compliance. It allows enterprises to
protect applications from attacks targeting the API layer – which represent the majority of all security
vulnerabilities today.

Shorten Test Cycles with Distributed Executions & CI/CD Integration.
Scanners parallelize executions and run them in a distributed manner. The scanners can be automatically provisioned on local machines or across any private or public cloud. Additionally, integration with common CI/CD tools like Jenkins, Bamboo, TeamCity, and others allow enterprises find vulnerabilities as early as possible in the development cycle.